From: Wei Yongjun Subject: Re: [PATCH] svcgss: reply AUTH_BADCRED to RPCSEC_GSS with unkown services Date: Wed, 26 Aug 2009 08:34:39 +0800 Message-ID: <4A94831F.8060508@cn.fujitsu.com> References: <4A77FF18.4040804@cn.fujitsu.com> <20090825214002.GD32708@fieldses.org> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Cc: Neil Brown , linux-nfs@vger.kernel.org, nfsv4@linux-nfs.org To: "J. Bruce Fields" Return-path: Received: from cn.fujitsu.com ([222.73.24.84]:58399 "EHLO song.cn.fujitsu.com" rhost-flags-OK-FAIL-OK-OK) by vger.kernel.org with ESMTP id S932068AbZHZAhU (ORCPT ); Tue, 25 Aug 2009 20:37:20 -0400 In-Reply-To: <20090825214002.GD32708@fieldses.org> Sender: linux-nfs-owner@vger.kernel.org List-ID: J. Bruce Fields wrote: > On Tue, Aug 04, 2009 at 05:27:52PM +0800, Wei Yongjun wrote: > >> When RPC messages is received with RPCSEC_GSS, and if the RPCSEC_GSS >> include unkown services (not RPC_GSS_SVC_NONE, RPC_GSS_SVC_INTEGRITY >> and RPC_GSS_SVC_PRIVACY), the response is considered as AUTH_BADCRED >> in svcauth_gss_accept(), but the response be drop by >> svcauth_gss_release(). I think response with AUTH_BADCRED is correct >> one. So this patch fixed it. >> > > Thanks! How did you find this? (And how did you test the result?) > I test this used newpynfs, the GSS8 item test for this. #./testserver.py nfsserver:/ --security=krb5 GSS8 > >> diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c >> index 2278a50..6dce327 100644 >> --- a/net/sunrpc/auth_gss/svcauth_gss.c >> +++ b/net/sunrpc/auth_gss/svcauth_gss.c >> @@ -1370,7 +1370,7 @@ svcauth_gss_release(struct svc_rqst *rqstp) >> goto out_err; >> break; >> default: >> - goto out_err; >> + goto out; >> } >> >> out: >> > > The goto seems redundant. How about just leaving out the default case > and providing a comment? (See below.) > > --b. > > commit ab3654a05aaf367b23bbb3d9229ff72a11999719 > Author: Wei Yongjun > Date: Tue Aug 4 17:27:52 2009 +0800 > > svcgss: reply AUTH_BADCRED to RPCSEC_GSS with unknown service > > When an RPC message is received with RPCSEC_GSS with an unknown service > (not RPC_GSS_SVC_NONE, RPC_GSS_SVC_INTEGRITY, or RPC_GSS_SVC_PRIVACY), > svcauth_gss_accept() returns AUTH_BADCRED, but svcauth_gss_release() > subsequently drops the response entirely, discarding the error. > > Fix that so the AUTH_BADCRED error is returned to the client. > > Signed-off-by: Wei Yongjun > Signed-off-by: J. Bruce Fields > > diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c > index 2e6a148..f6c51e5 100644 > --- a/net/sunrpc/auth_gss/svcauth_gss.c > +++ b/net/sunrpc/auth_gss/svcauth_gss.c > @@ -1374,8 +1374,10 @@ svcauth_gss_release(struct svc_rqst *rqstp) > if (stat) > goto out_err; > break; > - default: > - goto out_err; > + /* > + * For any other gc_svc value, svcauth_gss_accept() already set > + * the auth_error appropriately; just fall through: > + */ > } > > out: > > > >